In this article, we compare and explain the search results and methods of Google Hacking’s intitle filter, which searches only sites with specific keywords in the title, and Criminal IP’s title filter.
What is Google Hacking?
Google Hacking is a service that uses Google Search and Google’s applications to find security vulnerabilities in the construction and computer code of a website. The information that can be collected with Google Hacking can be surprisingly diverse. In general, there is a method of narrowing the results to specific conditions using keyword search with quotation marks (” “) and filters such as filetype, site, inurl, and intitle.
Compared to Google, which collects data based on the web, Criminal IP (https://www.criminalip.io/) collects data based on IP and port information. However, if the collected information comes from a web port, results previously invisible in the Google search engine can be found using Criminal IP. In particular, using Google’s intitle: filter shows results for content from a website’s <title> tag, which has very similar functions to Criminal IP’s title: filter. Let’s look at some of Google Hacking’s search tips and compare them to Criminal IP features.
Searching for vulnerable directory listings using dead.letter
Google search result for intitle:index.of “dead.letter”
The dead.letter file is an error log generated when a specific error occurs in a Linux/Unix environment. ‘index.of’ is a string that can be viewed when visiting a website with directory listing vulnerabilities, with the search results yielding server addresses with full server accessibility.
An index.of file with vulnerable server addresses with full server accessibility.This particular string is visible and can be used to identify websites with directory listing vulnerabilities.
<!DOCTYPE HTML PUBLIC “-//W3C//DTD HTML 3.2 Final//EN”>
<html>
<head>
<title>Index of /</title>
</head>
<body>
<h1>Index of /</h1>
Criminal IP can yield the same results as shown with the title: filter. Use the query shown below to access Criminal IP’s Asset Search results.
Criminal IP Asset Search results for “dead.letter” title:index.of
Criminal IP search results also show unique data that users cannot access on Google. In addition, Criminal IP identifies data by country, presence/absence of CVE vulnerabilities, and types of web servers involved.
Finding Remote Desktop Servers in Web format
Google search result for intitle:”Remote Desktop Web Connection” inurl:tsweb
Microsoft also provides web versions of RDP servers. In other words, this Google Hacking query can serve as a case example for finding an externally exposed RDP server.
Microsoft RDP server in web format, exposed on Google Hacking search results
Users can access identical queries by using Criminal IP’s title: filter.
Criminal IP Asset Search results for title:”Remote Desktop Web Connection”
It should also be noted that Criminal IP Image Search provides RDP screenshots for user convenience.
Criminal IP Image Search results for RDP
Detect Apache Test Pages in Default State
Google Search results for intitle:”Test Page for Apache”
The screenshot below is the default welcome page you see right after installing the Apache server. This is a famous example of a vulnerability that can be found using Google Hacking.
An exposed Apache Default Welcome page shown on Google Hacking search results for intitle:”Test Page for Apache”
Use the following query to yield the same search results using Criminal IP:
Criminal IP Asset Search results for title:”Test Page for Apache installation”
It is very evident that Criminal IP’s results tab shows far more data than what users can find using Google Hacking. This can be attributed to IT system set-ups, where systems installed in a default state often lack a domain to be attributed to. Therefore, compared to Google, which crawls domains more centrally, Criminal IP, which continuously collects IPs worldwide, can provide more detailed search results for default welcome pages.
We have previously covered the dangers of default welcome pages in our article, Default welcome page exposure: A Significant Security Risk.
Lastly, we would like to note that Google Hacking has far more filters than the intitle: filter we covered today. In addition, search result data can vary wildly between the applications used, with Criminal IP yielding more result volume at times and vice versa. Therefore, using both services can benefit users in collecting more comprehensive threat intelligence.
Source: Criminal IP (https://www.criminalip.io)
Related Article(s):
[…] You can always refer to our article on how to find exposed security vulnerabilities using OSINT tools like Google Hacking and Criminal IP. […]
[…] techniques to exploit personal information exposed to the search engine for cyberattacks. The article comparing web-based Google hacking and IP-based Criminal IP noted that specific search conditions could be used with Google search operators (such as […]